[Security] Reminder :: Draft feedback on "C2C authentication using TLS"

Jonathan Schleifer js-xmpp-security at webkeks.org
Mon Aug 25 05:16:33 CDT 2008


Am 25.08.2008 um 12:05 schrieb Dirk Meyer:

> But where to put the fingerprint? IMHO that is needed to know if we
> can use that mechanism. The information that the other side supports
> X.509 is useless when I have no way to verify the key. The only option
> I see it the 'name':
>
> <item jid='urn:xmpp:c2ctls:x509'
>          name='fingerprint'/>
>
> Looks kind of strange. On the other hand, the fingerprint is some sort
> of name of the certificate.

Can you please explain me why you want a fingerprint there? That's  
totally useless IMO, the server could forge that.

--
Jonathan

-------------- next part --------------
A non-text attachment was scrubbed...
Name: PGP.sig
Type: application/pgp-signature
Size: 801 bytes
Desc: This is a digitally signed message part
Url : http://mail.jabber.org/pipermail/security/attachments/20080825/d71109a4/attachment.pgp 


More information about the Security mailing list